Skip to content

October 20, 2009

Cross side scripting safeguard mechanism in SharePoint 2010 – start preparation today…

by Anders B. Skjønaa (

Since the Beta of SharePoint 2010 is NOT going to be made available to the delegates at the SharePoint Conference in Vegas this week, it will be a few weeks before people will actually (besides the few that have already gotten an early build / virtual machine) get a chance to play around with SharePoint 2010.

So just so that you dont forget, here’s a little reminder on a new protection mechanism in 2010 that may break some of the webparts that you would expect to move right over to the next version.

Moving forward, webparts developers will have to design webparts in a way that do not have the need for users with Contributor priveledges to set custom webparts properties. The system simple does not allow controbutors to sedit these properties anymore. To edit custom webpart properties you need to have at least Designer rights. This may be a hard thing to remember, as the comtributor role normally have rights to set properties on webparts, but as from now on… not the custom ones…

The reason is naturally all about security. If a person enters javascript code of some malicious kind to a custom webpart property, this will be saved with the part and will be executed by any users loading the part, when entering the page. So even if the person does not have the right to execute this code, it will be executed the next time someone who has those rights- an administrator for example… Cross side scripting… 😦

The catch with this is, that this new cross side scripting safeguard will work on ALL webparts in your site. This also counts for the webparts that you have already built. So already today, you can – and you should – start to prepare for 2010 by running through all your webparts to identify where this will break your webparts.

I am planning to post more info on this later.

Read more from SharePoint

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments